Description
Due to improper authorization, Red Hat Single Sign-On is vulnerable to users performing actions that they should not be allowed to perform. It was possible to add users to the master realm even though no respective permission was granted.
Remediation
References
https://bugzilla.redhat.com/show_bug.cgi?id=2050228
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-076.txt
https://www.syss.de/pentest-blog/fehlerhafte-autorisierung-bei-red-hat-single-sign-on-750ga-syss-2021-076
Related Vulnerabilities
CVE-2021-42697 Vulnerability in maven package com.typesafe.akka:akka-http
CVE-2022-29253 Vulnerability in maven package org.xwiki.platform:xwiki-platform-oldcore
CVE-2023-48967 Vulnerability in maven package org.noear:solon.serialization.fury
CVE-2021-21685 Vulnerability in maven package org.jenkins-ci.main:jenkins-core
CVE-2022-24821 Vulnerability in maven package org.xwiki.platform:xwiki-platform-skin-skinx